DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this vulnerability.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "6.0"
},
{
"fixed": "6.4"
},
{
"introduced": "4.0"
},
{
"fixed": "5.11"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31192.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-79"
]
}"2026-07-09T06:35:09Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31192.json"
[
{
"id": "CVE-2022-31192-476b8510",
"digest": {
"line_hashes": [
"194256693938643061146082747784343617780",
"74097944488310406589478838007677848881",
"274268665387351830738484623536498219154",
"8206378877108847774533840159145203315",
"146508925465581470121161005701242566557",
"140751182846231614761886246628891142077",
"70468589860306572260587328004349284239",
"291195736580888230876166404512085943559",
"206362487785960115410173619202220527132"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/dspace/dspace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9",
"deprecated": false,
"target": {
"file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java"
}
},
{
"id": "CVE-2022-31192-7b33cc97",
"digest": {
"line_hashes": [
"240125148155819091247958523096144575939",
"233682258469893035653141995749467006280",
"202682495362759076194052651027547099439",
"28261864205396084798060666818116278551",
"270432885077173819013578067505069100578",
"159273592358450449336448641282821250264",
"65947284034159798043009076404118209612",
"271426286381390419966187165771763577058",
"251459721155963050119277945206030581772",
"116453322095577555906749711565193094461",
"194478275069789755453560039026311669706",
"299359489054852360047597991463740640279",
"300952596974369259220542568895834875694",
"181280404401531136713991362578518301761",
"157469177783427834267903909027053803417",
"51785655702404770080814783461560181526",
"17526080584380723088010611086825158256",
"214242195580895591868517007665876911675",
"222329653360355916360352515236536333180"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/dspace/dspace/commit/28eb8158210d41168a62ed5f9e044f754513bc37",
"deprecated": false,
"target": {
"file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/RequestItemServlet.java"
}
},
{
"id": "CVE-2022-31192-85275fcc",
"digest": {
"function_hash": "119780573979426861905177072604783249930",
"length": 554.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/dspace/dspace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9",
"deprecated": false,
"target": {
"function": "doDSGet",
"file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/ControlledVocabularyServlet.java"
}
},
{
"id": "CVE-2022-31192-948b4994",
"digest": {
"line_hashes": [
"280703769348833585140214737691580170238",
"98857403741070964250262377442763604321",
"278122081367865147941328557323411938483",
"279853772842254011400823164746458957202",
"268139018561406650715433971978735275142",
"28883260814151293730921355896739253598",
"76190876592172915590978150931591314963",
"239084851651567176113199866281534348546"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/dspace/dspace/commit/28eb8158210d41168a62ed5f9e044f754513bc37",
"deprecated": false,
"target": {
"file": "dspace-jspui/src/main/java/org/dspace/app/webui/util/RequestItemManager.java"
}
},
{
"id": "CVE-2022-31192-d327c38b",
"digest": {
"function_hash": "317295592183450026022944795436597551965",
"length": 529.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/dspace/dspace/commit/28eb8158210d41168a62ed5f9e044f754513bc37",
"deprecated": false,
"target": {
"function": "getLinkTokenEmail",
"file": "dspace-jspui/src/main/java/org/dspace/app/webui/util/RequestItemManager.java"
}
},
{
"id": "CVE-2022-31192-f791f49d",
"digest": {
"function_hash": "13364175414845922852360051965689805382",
"length": 3782.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/dspace/dspace/commit/28eb8158210d41168a62ed5f9e044f754513bc37",
"deprecated": false,
"target": {
"function": "processForm",
"file": "dspace-jspui/src/main/java/org/dspace/app/webui/servlet/RequestItemServlet.java"
}
}
]